@@ -22,14 +22,42 @@ data "google_project" "service_project" {
22
22
locals {
23
23
service_project_number = var. lookup_project_numbers ? data. google_project . service_project [0 ]. number : var. service_project_number
24
24
apis = {
25
- " container.googleapis.com" : format (" service-%s@container-engine-robot.iam.gserviceaccount.com" , local. service_project_number ),
26
- " dataproc.googleapis.com" : format (" service-%s@dataproc-accounts.iam.gserviceaccount.com" , local. service_project_number ),
27
- " dataflow.googleapis.com" : format (" service-%s@dataflow-service-producer-prod.iam.gserviceaccount.com" , local. service_project_number ),
28
- " composer.googleapis.com" : format (" service-%s@cloudcomposer-accounts.iam.gserviceaccount.com" , local. service_project_number )
29
- " vpcaccess.googleapis.com" : format (" service-%s@gcp-sa-vpcaccess.iam.gserviceaccount.com" , local. service_project_number )
30
- " datastream.googleapis.com" : format (" service-%s@gcp-sa-datastream.iam.gserviceaccount.com" , local. service_project_number )
31
- " notebooks.googleapis.com" : format (" service-%s@gcp-sa-notebooks.iam.gserviceaccount.com" , local. service_project_number )
32
- " networkconnectivity.googleapis.com" : format (" service-%s@gcp-sa-networkconnectivity.iam.gserviceaccount.com" , local. service_project_number )
25
+ " container.googleapis.com" : {
26
+ service_account = format (" service-%s@container-engine-robot.iam.gserviceaccount.com" , local. service_project_number )
27
+ role = " roles/compute.networkUser"
28
+ }
29
+ " dataproc.googleapis.com" : {
30
+ service_account = format (" service-%s@dataproc-accounts.iam.gserviceaccount.com" , local. service_project_number )
31
+ role = " roles/compute.networkUser"
32
+ },
33
+ " dataflow.googleapis.com" : {
34
+ service_account = format (" service-%s@dataflow-service-producer-prod.iam.gserviceaccount.com" , local. service_project_number )
35
+ role = " roles/compute.networkUser"
36
+ },
37
+ " datafusion.googleapis.com" : {
38
+ service_account = format (" service-%s@gcp-sa-datafusion.iam.gserviceaccount.com" , local. service_project_number )
39
+ role = " roles/compute.networkViewer"
40
+ },
41
+ " composer.googleapis.com" : {
42
+ service_account = format (" service-%s@cloudcomposer-accounts.iam.gserviceaccount.com" , local. service_project_number )
43
+ role = " roles/compute.networkUser"
44
+ }
45
+ " vpcaccess.googleapis.com" : {
46
+ service_account = format (" service-%s@gcp-sa-vpcaccess.iam.gserviceaccount.com" , local. service_project_number )
47
+ role = " roles/compute.networkUser"
48
+ }
49
+ " datastream.googleapis.com" : {
50
+ service_account = format (" service-%s@gcp-sa-datastream.iam.gserviceaccount.com" , local. service_project_number )
51
+ role = " roles/compute.networkUser"
52
+ }
53
+ " notebooks.googleapis.com" : {
54
+ service_account = format (" service-%s@gcp-sa-notebooks.iam.gserviceaccount.com" , local. service_project_number )
55
+ role = " roles/compute.networkUser"
56
+ }
57
+ " networkconnectivity.googleapis.com" : {
58
+ service_account = format (" service-%s@gcp-sa-networkconnectivity.iam.gserviceaccount.com" , local. service_project_number )
59
+ role = " roles/compute.networkUser"
60
+ }
33
61
}
34
62
gke_shared_vpc_enabled = contains (var. active_apis , " container.googleapis.com" )
35
63
composer_shared_vpc_enabled = contains (var. active_apis , " composer.googleapis.com" )
@@ -44,7 +72,8 @@ locals {
44
72
/* *****************************************
45
73
if "container.googleapis.com" compute.networkUser role granted to GKE service account for GKE on shared VPC subnets
46
74
if "dataproc.googleapis.com" compute.networkUser role granted to dataproc service account for dataproc on shared VPC subnets
47
- if "dataflow.googleapis.com" compute.networkUser role granted to dataflow service account for Dataflow on shared VPC subnets
75
+ if "dataflow.googleapis.com" compute.networkUser role granted to dataflow service account for Dataflow on shared VPC subnets
76
+ if "datafusion.googleapis.com" compute.networkViewer role granted to datafusion service account for Data Fusion on shared VPC subnets
48
77
if "composer.googleapis.com" compute.networkUser role granted to composer service account for Composer on shared VPC subnets
49
78
if "notebooks.googleapis.com" compute.networkUser role granted to notebooks service account for Notebooks on shared VPC Project
50
79
if "networkconnectivity.googleapis.com" compute.networkUser role granted to notebooks service account for Network Connectivity on shared VPC Project
@@ -65,13 +94,13 @@ resource "google_compute_subnetwork_iam_member" "service_shared_vpc_subnet_users
65
94
" subnetworks" ,
66
95
) + 1 ,
67
96
)
68
- role = " roles/compute.networkUser "
97
+ role = local . apis [ split ( " , " , local . subnetwork_api [ count . index ])[ 0 ]] . role
69
98
region = element (
70
99
split (" /" , split (" ," , local. subnetwork_api [count . index ])[1 ]),
71
100
index (split (" /" , split (" ," , local. subnetwork_api [count . index ])[1 ]), " regions" ) + 1 ,
72
101
)
73
102
project = var. host_project_id
74
- member = format (" serviceAccount:%s" , local. apis [split (" ," , local. subnetwork_api [count . index ])[0 ]])
103
+ member = format (" serviceAccount:%s" , local. apis [split (" ," , local. subnetwork_api [count . index ])[0 ]]. service_account )
75
104
}
76
105
77
106
/* *****************************************
@@ -101,15 +130,16 @@ resource "google_compute_subnetwork_iam_member" "cloudservices_shared_vpc_subnet
101
130
if "container.googleapis.com" compute.networkUser role granted to GKE service account for GKE on shared VPC Project if no subnets defined
102
131
if "dataproc.googleapis.com" compute.networkUser role granted to dataproc service account for Dataproc on shared VPC Project if no subnets defined
103
132
if "dataflow.googleapis.com" compute.networkUser role granted to dataflow service account for Dataflow on shared VPC Project if no subnets defined
133
+ if "datafusion.googleapis.com" compute.networkViewer role granted to data fusion service account for Data Fusion on shared VPC Project if no subnets defined
104
134
if "composer.googleapis.com" compute.networkUser role granted to composer service account for Composer on shared VPC Project if no subnets defined
105
135
if "notebooks.googleapis.com" compute.networkUser role granted to notebooks service account for Notebooks on shared VPC Project if no subnets defined
106
136
if "networkconnectivity.googleapis.com" compute.networkUser role granted to notebooks service account for Notebooks on shared VPC Project if no subnets defined
107
137
*****************************************/
108
138
resource "google_project_iam_member" "service_shared_vpc_user" {
109
139
for_each = (length (var. shared_vpc_subnets ) == 0 ) && var. enable_shared_vpc_service_project && var. grant_network_role ? toset (local. active_apis ) : []
110
140
project = var. host_project_id
111
- role = " roles/compute.networkUser "
112
- member = format (" serviceAccount:%s" , local. apis [each . value ])
141
+ role = local . apis [ each . value ] . role
142
+ member = format (" serviceAccount:%s" , local. apis [each . value ]. service_account )
113
143
}
114
144
115
145
/* *****************************************
@@ -120,7 +150,7 @@ resource "google_project_iam_member" "composer_host_agent" {
120
150
count = local. composer_shared_vpc_enabled && var. enable_shared_vpc_service_project && var. grant_network_role ? 1 : 0
121
151
project = var. host_project_id
122
152
role = " roles/composer.sharedVpcAgent"
123
- member = format (" serviceAccount:%s" , local. apis [" composer.googleapis.com" ])
153
+ member = format (" serviceAccount:%s" , local. apis [" composer.googleapis.com" ]. service_account )
124
154
}
125
155
126
156
/* *****************************************
@@ -131,7 +161,7 @@ resource "google_project_iam_member" "gke_host_agent" {
131
161
count = local. gke_shared_vpc_enabled && var. enable_shared_vpc_service_project && var. grant_network_role ? 1 : 0
132
162
project = var. host_project_id
133
163
role = " roles/container.hostServiceAgentUser"
134
- member = format (" serviceAccount:%s" , local. apis [" container.googleapis.com" ])
164
+ member = format (" serviceAccount:%s" , local. apis [" container.googleapis.com" ]. service_account )
135
165
}
136
166
137
167
/* *****************************************
@@ -143,7 +173,7 @@ resource "google_project_iam_member" "gke_security_admin" {
143
173
count = local. gke_shared_vpc_enabled && var. enable_shared_vpc_service_project && var. grant_services_security_admin_role ? 1 : 0
144
174
project = var. host_project_id
145
175
role = " roles/compute.securityAdmin"
146
- member = format (" serviceAccount:%s" , local. apis [" container.googleapis.com" ])
176
+ member = format (" serviceAccount:%s" , local. apis [" container.googleapis.com" ]. service_account )
147
177
}
148
178
149
179
/* *****************************************
@@ -155,5 +185,5 @@ resource "google_project_iam_member" "datastream_network_admin" {
155
185
count = local. datastream_shared_vpc_enabled && var. enable_shared_vpc_service_project && var. grant_services_network_admin_role ? 1 : 0
156
186
project = var. host_project_id
157
187
role = " roles/compute.networkAdmin"
158
- member = format (" serviceAccount:%s" , local. apis [" datastream.googleapis.com" ])
188
+ member = format (" serviceAccount:%s" , local. apis [" datastream.googleapis.com" ]. service_account )
159
189
}
0 commit comments